I taught we were talking about users which are expected to understand what is a software repository or what is a software install package, the security improvement would be for those users, to make sure they would understand the risks of using such resources. In my opinion for users which do have the trivial understanding of software installation on the system, the only safe approach is to not grant them admin privileges at all. I guess the goal is not to discourage users from downloading software of the Web in general, the goal is to drive the users to install software from trusted sources. Both repositories and web sites can be trusted or untrusted sources. The option of providing an installer dialog to present the users to the basic rules of security when dealing with system software installation was oriented for those which (I hope) are the minority of users which still do not understand the risks of installing software from random sources, probably it is not a feature that would make a difference for most users. The major source of spyware/virus/trojans has been: 1 - exploits which allow the unattended installation of software 2 - fake software, or "companion" software Case 1 can only be addressed by providing security fixes in time in case such exploits are discovered Case 2 can only be addressed by educating people on how to use the internet on a safely manner, again, typing random commands from an untrusted web site is a major security risk for any OS, and it is a very common practice for Linux users in particular Best regards, <div>2007/10/2, Matthew Paul Thomas <<a href="mailto:mpt@canonical.com">mpt@canonical.com</a>>:<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> On Oct 2, 2007, at 11:51 AM, João Pinto wrote: > ... > If PPAs availability increases there will be nasty people providing > nasty packages, if you are concerned about naive users, then my first > suggestion is to present an initial screen during Ubuntu install with: > "If you add extra repositories or install .debs from the web, please > make sure you are using a trusted source, otherwise you may get > malicious software", if it is important enough, let's make it hard to > accept, it is a simple text o read (1 line), there is no excuse for > "next -> next". > ... Regardless of whether you think there is any "excuse" for "next -> next", most people would still do it, and wouldn't read the message. Even if they did read the message, most wouldn't have a clue what you meant by "repositories", ".debs", or "trusted source". And even if they did understand the message, it could be weeks, months, or years later that they first had the opportunity to download software from the Web. Quite long enough to forget that they shouldn't be doing it. If you want to discourage people from downloading software off the Web, an operating system installer is hardly the place to do it. Cheers -- Matthew Paul Thomas <a href="http://mpt.net.nz/"> http://mpt.net.nz/</a> -- Ubuntu-devel-discuss mailing list <a href="mailto:Ubuntu-devel-discuss@lists.ubuntu.com">Ubuntu-devel-discuss@lists.ubuntu.com</a> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss"> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss</a> </blockquote></div> -- João Pinto GetDeb Package Builder <a href="http://www.getdeb.net">http://www.getdeb.net </a>